Google to Android users: No passwords, you get fingerprint login to some sites

Google takes a step towards cutting out passwords for some parts of authenticating to online services.
Written by Liam Tung, Contributing Writer

Just like Microsoft, Google is adopting new standards to begin letting users log in to websites using a phone's fingerprint sensor, rather than a password. 

The company has announced a key step in that direction by enabling fingerprint-based verification when visiting some Google services on one of its Pixel phones. It's rolling out the feature via a Google Play Services update to all Android 7 and above devices in the next few days. 

The new capability follows Google's announcement in February that Android 7 and above were now certified under the FIDO2 standard which, along with companion standard WebAuthn, should reduce users' reliance on passwords. 

Microsoft's Windows Hello biometric login system in Windows 10 version 1903 was similarly FIDO2 certified this year, allowing users to sign in to a host of Microsoft's online services with a fingerprint, face, or PIN.  

Google's Android update is the start of bringing a no-password experience to over a billion Android users, or about half the total Android user base.      

The combined standards could help stem some of the downsides of familiar login processes that require a password. Many people tend to create simple passwords so they're memorable, but that also leaves them vulnerable to cracking when passwords leak. 

To use the new 'local user verification' for Google Accounts, users will need to be running Android 7 or later, and a personal Google Account must be added to the Android device with a screen lock setup.

Using Chrome on Android, users can test the feature on Google's password manager site, https://passwords.google.com, which contains a list of services and credentials. Individuals are then asked to verify it's them by scanning their fingerprint. 

Google makes an important distinction between local user verification and its two-factor authentication for providing additional protection to accounts against phishing attacks. Both security keys – like its Titan keys and those from Yubico – and local user verification do use FIDO2 standards.     

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

However, local user verification is used for "reauthentication during step-up flows to verify the identity of the already signed-in user".

Security keys on other hand can be used to set up a new device, like an Android phone, as part of a two-step verification process to ensure it's the right owner of the account accessing it. Google is using security keys as part of its Gmail Advanced Protection Program.  

Google says users shouldn't be worried about their fingerprints being sent to its servers because the fingerprint is actually registered and stored on the device. After that, a cryptographic proof is sent to Google's servers. 

Once Google has credentials for a specific Android device, users can log in with their fingerprint to a compatible service.  

"This new capability marks another step on our journey to making authentication safer and easier for everyone to use," writes Dongjing He, software engineer, and Christiaan Brand of Google.  

"As we continue to embrace the FIDO2 standard, you will start seeing more places where local alternatives to passwords are accepted as an authentication mechanism for Google and Google Cloud services."

More on Google, FIDO2, and passwordless sign-in

Editorial standards